In various industries and organizations, the parties that provide and receive services may communicate with each other. Often times, communication is performed via paper or a non-electronic media. For example, the parties may communicate to each other via mail or fax.
With the advent of networks, such as the Internet, the parties may communicate with each other through electronic media. For example, one party may communicate information to another party via electronic mail (email). In another example, one party may maintain storage, and allow visiting parties to access the storage via a retrieving protocol, such as a File Transfer Protocol (FTP).
In certain industries, for example health care, certain precautions may be required when parties share information with each other. Some of these precautions may be mandated or required by federal laws or regulations. In particular, statutes may dictate that when information is passed from one party to another (i.e. a first health care provider to a second health care provider), that certain security and privacy concerns are maintained through protective techniques such as encryption to reduce the likelihood of security breaches and violations of privacy regulations through the disclosure of personal health information (PHI).
The Office of the National Coordinator (ONC) established the Direct Project which defines a standard protocol for secure messaging by email. The Direct protocol allows participants to send authenticated, secure messages containing encrypted health information to known, trusted recipients over the Internet. In essence, the Direct protocol creates a closed network where only verified and trusted participants may communicate with each other. The Direct protocol employs the use of secure Simple Mail Transfer Protocol (SMTP) to facilitate the sending of messages from one party to another and requires special digital security certificates for the encryption/decryption.
Each provider that shares health information may be registered with a Health Information Service Provider (HISP) that is similar to an Internet Service Provider (ISP) but that specializes in Direct secure messaging (secure email). One HISP may service many health care entities. Additionally, several HISPs may be established, and communication between HISPs may be performed employing a closed network messaging protocol, such as Direct. Each health care entity may have a unique identifier granted by one of the HISPs, and use the identifiers to communicate with one another (for example, ‘physicianX@direct.hospitalA.org’).
An example of communicating with a closed network such as one that employs the Direct protocol is described below. The sender pushes the message from the sender's HISP to the receiver's HISP. In this case, the sender may be a general physician who wants to transmit health information to a specialist.
The sender's HISP may communicate securely with the receiver's HISP if the two HISPs have established a trust anchor by exchanging digital security certificates. The sender's HISP may refer to a routing information directory and push the message to the receiver's HISP accordingly.
In the final stage, the receiver's HISP may receive the encrypted message and provide the message in unencrypted form to the recipient. Thus, through communicating with closed messaging, such as employing the Direct protocol, a first health care provider may securely and electronically transmit health information to an authenticated second health care provider. In this way, due to the messaging occurring electronically, a more efficient delivery of health information is achieved in a secure way.
The above example describes a situation in which one physician is communicating with another physician. One of ordinary skill in the art may appreciate that the above described messaging may occur with various parties, such as clinics, patients, testing labs, and the like.
The Direct Project and Direct standard also allows for system endpoints (i.e. an automated sender or an automated receiver) such that the following communications are possible using Direct:
SenderReceiverPersonPersonPersonSystemSystemPersonSystemSystem
The legislated name under the Affordable Care Act for a Direct secure email address is “Electronic Service Information” or ESI. Utilization of Direct by healthcare providers is mandated under the Affordable Care Act for Meaningful Use Stage Two, which under the present Act is required by January 2014. As a result, Direct secure email accounts are becoming a widely available commodity as numerous vendors drive the costs out of operating a Direct HISP.